The malware, which primarily targets East Asian users, sends emails to high-profile individuals requesting that they resolve a payment issue. The email, however, contains a link that redirects users to fake websites of legitimate apps, where threat actors encourage them to install the fake app APK.
When the app is installed, it requests SMS access in order to intercept incoming 2FA codes and prompts users to enter their login credentials and credit card information in order to resolve the payment issue. The app then displays a “system is busy” message for 10 minutes while collecting sensitive data and transmitting it to the attackers. Because the apps closely resemble legitimate apps in appearance, many users fail to notice the limited functionality and malicious content.